The Iranian state-sponsored threat actor known as Nimbus Manticore (also known as Screening Serpens and UNC1549) is believed to have engaged in a new campaign using decoys impersonating aviation and software organizations across the United States, Europe, and the Middle East following the joint U.S.-Israeli military operation against the country in late February 2026.
In addition to incorporating previously undocumented techniques and enhanced functionality, the campaign is characterized by the use of a new backdoor codenamed MiniFast (also known as MiniUpdate) that appears to have been developed with the assistance of artificial intelligence (AI), Check Point said in an analysis published last week.
Nimbus Manticore, a member of Iran’s Islamic Revolutionary Guards Corps (IRGC), is best known for targeting defense, aviation, and communications sectors using carrier-themed fishing lures. These campaigns are also codenamed Iranian DreamJob due to their tactical similarities to Operation DreamJob, which was organized by North Korean hackers.
Recent attack chains associated with this threat actor have seen a shift in tradecraft, as evidenced by the use of AppDomain hijacking to distribute MiniJunk in February 2026, followed by the introduction of the MiniFast backdoor in March, and the reliance on SEO poisoning to distribute a trojanized version of Oracle’s SQL Developer software in April.
In the first campaign, observed before the start of the war, employees in the software and aviation sectors in Saudi Arabia and Australia were given fake career opportunities and tricked into downloading ZIP archives hosted on OnlyOffice. Launching a benign executable within the ZIP file leveraged a technique known as AppDomain hijacking to launch the malicious MiniJunk DLL.
The March 2026 campaign was found to have followed much the same approach, only this time the attackers also used a trojanized Zoom installer as part of the attack sequence to launch the binary and leverage AppDomain hijacking to deploy MiniFast. This activity is suspected to be part of a phishing campaign using fake meeting invitations.
There is evidence that Nimbus Manticore used AI-assisted development to create MiniFast. This includes excessive error handling and defensive programming logic, repetitive function and method naming patterns with descriptive or redundant identifiers, several detailed error reporting strings and debug-style status messages, and a modular code structure despite the malware’s overall simplicity.
Check Point said last month that it also observed a fake website that posed as a SQL Developer download page and tricked visitors who arrived there via SEO poisoning into downloading a weaponized installer offering MiniFast. This development marks the first time a threat actor has utilized this approach for malware distribution.
“This malware delivery method differs from Nimbus Manticore’s usual infection chain, which typically relies on carrier-themed phishing lures,” the company said. “In this campaign, the attackers exploit search engine optimization techniques by registering dozens of domains that link to the fake domain getsqldeveloper.[.]Com. This may be an attempt to increase the site’s visibility through link-based reputation signals. ”
MiniFast is described as a full-featured backdoor designed for long-term persistence and remote command execution. It communicates with a remote server via HTTP requests to retrieve tasks, upload command execution results, extract files, and download additional payloads from the server. Before entering the task loop, the malware also sends basic system information to the operator.
The backdoor supports a wide range of commands, allowing file manipulation, directory listing, process enumeration, command execution with ‘cmd.exe’, termination of processes using PID, loading of DLLs, creation of ZIP archives, persistence through scheduled tasks, and privilege escalation through the ‘runas’ command.
The backdoor also supports the ability to update the polling interval and jitter values applied to the beacon interval in order to randomize the frequency with which commands are retrieved from the server.
“What is striking is that the group’s ambitions extended far beyond targeted espionage in the Middle East,” Sergey Shkevich, threat intelligence group manager at Check Point Research, said in a statement shared with Hacker News. “We found strong indications that Nimbus Manticore is using AI tools to create malware faster.”
“They built and deployed an entirely new backdoor while the operation was actively underway during the conflict, and we followed up on the third wave of the campaign using an entirely different strategy: SEO poisoning.”
“They created a fake SQL Developer download page and pushed it to the top of Bing and DuckDuckGo. No spear phishing, no fake job openings, just waiting for developers to search for common software. And when we mapped all three waves together from February to April, there were no interruptions. Far from slowing them down, the conflict actually accelerated them.”
This disclosure is consistent with a Palo Alto Networks Unit 42 report that threat actors are using an updated version of MiniJunk called MiniUpdate and MiniJunk V2 to target organizations in the United States, Israel, the United Arab Emirates, and the Middle East. U.S. oil and gas companies were among the companies targeted as part of the elaborate espionage plan.
The findings show that Iranian threat actors are taking North Korea’s strategy from scratch to infiltrate profit-making organizations by offering well-paying job opportunities to their employees.
“The group has increased its activities since the regional conflict began in February 2026, deploying two families of RAT variants across its organization in up to five countries,” Unit 42 researchers said.
“These recent campaigns are characterized by a highly personalized approach to adversary recruitment. By leveraging customized social engineering tactics, such as fake job offers or spoofed video conference invitations, attackers lure victims into the infection chain, thereby exposing organizations to further exploitation.”
The incident comes after Iranian hackers are suspected of carrying out a series of attacks on tank leaders at gas stations across multiple U.S. states, and while the incidents did not cause any physical damage or harm, they raised concerns that such access could potentially result in undetected gas leaks or other risks to critical infrastructure.
“The hackers were able to exploit automated tank gauging (ATG) systems that were online and not password protected, and in some cases were able to tamper with the readings on the tank, but not the actual fuel level in the tank,” CNN reported, citing unnamed sources.
Source link
